[squid-users] TCP_RESET non http requests on port 80
Alex Rousskov
rousskov at measurement-factory.com
Wed Aug 24 19:43:18 UTC 2016
On 08/24/2016 12:24 PM, Omid Kosari wrote:
> Alex Rousskov wrote
>> Thus, the existing implementation should cover non-HTTP
>> requests on port 80 (or 3128). If it does not, it is a bug. We should
>> polish the documentation to make this clear.
> The problem is not squid itself . The problem is in some situations for
> example DOS(with malformed requests) , infected clients sends lots of
> requests to target server . The requests goes through squid tproxy so squid
> will send back about 250 byte in reply to each request .
>
> So i am looking for a way to just send tcp reset and not that 250 bytes .
What you said is orthogonal to what I said. There are two parts of the
problem you are trying to solve:
1. Detect a non-HTTP request on port 80.
2. Reset the client connection when #1 happens.
The existing on_unsupported_protocol directive already supports #1 --
bugs notwithstanding, it can be used to generate an error response when
you want. It is also the default behavior.
Once that error response is generated, you want to convert it into a TCP
reset by denying that response _and_ using a matching "deny_info
TCP_RESET". That is part #2. I do not know why deny_info does not work
in your tests.
N.B. Since resetting non-HTTP connections is a common need, it may be
tempting to add a "terminate" action to the on_unsupported_protocol list
of supported actions. However, I am not sure that is a good idea because
resetting a connection is a common need in many contexts. Deny_info may
be a better (more general) solution.
HTH,
Alex.
More information about the squid-users
mailing list